Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 00:16
Behavioral task
behavioral1
Sample
22379be846f2856c90a47fda13776e5b.exe
Resource
win7-20231201-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
22379be846f2856c90a47fda13776e5b.exe
Resource
win10v2004-20231127-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
22379be846f2856c90a47fda13776e5b.exe
-
Size
37KB
-
MD5
22379be846f2856c90a47fda13776e5b
-
SHA1
1562ca8e25002572bfa3debb2166186fc6c15757
-
SHA256
93f5fa4893007b17277433e909b9c8a3cd668cabf3cfa7642c3ca180e769a657
-
SHA512
f19476e614d50ec1c01aa29c6b7681af47f2a0a57a55a8c19f9e53ba907f8c324b669f475780b3507dd849195d358680c72a5f980684a021097b8cd3fc5b8dde
-
SSDEEP
384:SQmOq0IiejvCVLO309QmykrtG+dA+VCwvOSifrAF+rMRTyN/0L+EcoinblneHQMX:SGLdGdkrgYUwWS0rM+rMRa8NuNmt
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
22379be846f2856c90a47fda13776e5b.exedescription pid process Token: SeDebugPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe Token: 33 2468 22379be846f2856c90a47fda13776e5b.exe Token: SeIncBasePriorityPrivilege 2468 22379be846f2856c90a47fda13776e5b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
22379be846f2856c90a47fda13776e5b.exedescription pid process target process PID 2468 wrote to memory of 2040 2468 22379be846f2856c90a47fda13776e5b.exe netsh.exe PID 2468 wrote to memory of 2040 2468 22379be846f2856c90a47fda13776e5b.exe netsh.exe PID 2468 wrote to memory of 2040 2468 22379be846f2856c90a47fda13776e5b.exe netsh.exe PID 2468 wrote to memory of 2040 2468 22379be846f2856c90a47fda13776e5b.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22379be846f2856c90a47fda13776e5b.exe"C:\Users\Admin\AppData\Local\Temp\22379be846f2856c90a47fda13776e5b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\22379be846f2856c90a47fda13776e5b.exe" "22379be846f2856c90a47fda13776e5b.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2040